Targeted attacks exploiting Flash flaw; Adobe issues fix

Adobe has issued a patch for a critical vulnerability in Flash Player that is being used against Internet Explorer and could affect other operating systems.

The patch fixes the vulnerability in Windows, Macintosh, Linux and Android OSes, Adobe said in a security advisory. Although the flaw affects all of those operating systems, reports of an exploit in the wild so far have involved only IE for Windows.

Users of Flash with Google’s Chrome browser are in the clear, Adobe said, since the patch has been installed automatically.

Adobe called the flaw an object confusion vulnerability that could crash an infected application and possibly allow an attacker to gain control of the system. The exploit discovered in the wild arrives in targeted attacks delivered via e-mail messages that try to trick a user into clicking a malicious file.

The company’s advisory offers instructions on how to check which versions of Flash you’re running, and recommends upgrading to the new versions of Flash.

Flash vulnerabilities have become a popular target for hackers because it’s ubiquitous, existing on practically every computer. The 2011 hack of RSA Security, for example, resulted from phishing e-mails that delivered a zero-day exploit of a Flash flaw.

In March, Adobe issued fixes for two other critical Flash vulnerabilities that, like this one, could lead to hackers taking control of systems.

About the Author

Kevin McCaney is editor of Defense Systems. Follow him on Twitter: @KevinMcCaney.